Understanding Initialization

Caution You must initialize the sensor before you can choose
Configuration > sensor_name > Sensor Setup in IME to further configure the sensor.

After you install the sensor on your network, you must use the setup command to initialize it so that you can communicate with it over the network. With the setup command, you configure basic sensor settings, including the hostname, IP interfaces, access control lists, Global Correlation servers, and time settings. You can continue using Advanced Setup in the CLI to enable Telnet, configure the Web Server, and assign and enable virtual sensors and interfaces, or you can use the Startup Wizard in IME.

After you initialize the sensor, you can make any changes and configure other network parameters in Sensor Setup.

For More Information

For the procedure for using the setup command to initialize the sensor, see Basic Sensor Setup.

Configuring Network Settings

This section describes how to change the network settings, and contains the following topics:

Network Pane

Note You must be administrator to configure network settings.

After you use the setup command to initialize the sensor, the network and communication parameter values appear in the Network pane. If you need to change these parameters, you can do so in the Network pane.

Network Pane Field Definitions

The following fields are found in the Network pane:

•Hostname—Name of the sensor.

The hostname can be a string of 1 to 64 characters that matches the pattern ^[A-Za-z0-9_/-]+$. The default is sensor. You receive an error message if the name contains a space or exceeds 64 alphanumeric characters.

•IP Address—IP address of the sensor. The default is 192.168.1.2.

•Network Mask—Mask corresponding to the IP address. The default is 255.255.255.0.

•Default Route—Default gateway address. The default is 192.168.1.1.

•FTP Timeout (seconds)—Sets the amount of time in seconds that the FTP client waits before timing out when the sensor is communicating with an FTP server.

•DNS/Proxy Settings—Lets you configure either an HTTP proxy server or DNS server to support global correlation.

If you are using a DNS server, you must configure at least one DNS server and it must be reachable for global correlation updates to be successful. You can configure other DNS servers as backup servers. DNS queries are sent to the first server in the list. If it is unreachable, DNS queries are sent to the next configured DNS server.

Caution For global correlation to function, you must have either a DNS server or an HTTP proxy server configured at all times.
Caution DNS resolution is supported only for accessing the global correlation update server.

–Enable TLS/SSL—Enables TLS and SSL in the Web Server. The default is enabled.

Note We strongly recommend that you enable TLS and SSL.

–Web Server Port—TCP port used by the Web Server. The default is 443 for HTTPS.

Note You receive an error message if you enter a value out of the range of 1 to 65535.

•Remote Access—Lets you enable Telnet.

–Enable Telnet—Enables or disables Telnet for remote access to the sensor.

Note Telnet is not a secure access service and therefore is disabled by default.

Configuring Network Settings

Caution You must have a valid sensor license for global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.

To configure network settings, follow these steps:

Step 1 Log in to IME using an account with administrator privileges.

Step 2 Choose Configuration > sensor_name > Sensor Setup > Network.

Step 3 To edit the sensor hostname, enter the new name in the Hostname field.

Step 4 To change the sensor IP address, enter the new address in the IP Address field.

Step 5 To change the network mask, enter the new mask in the Network Mask field.

Step 6 To change the default gateway, enter the new address in the Default Route field.

Step 7 To change the amount of FTP timeout, enter the new amount in seconds the FTP Timeout field. The default is 300 seconds.

Step 8 To configure either an HTTP proxy server or at least one DNS server to support global correlation, enter the HTTP proxy server IP address in the HTTP Proxy Server field and the port number in the HTTP Proxy Port field, or enter the DNS server IP address in the DNS Primary field.

If you are using a DNS server, you must configure at least one DNS server and it must be reachable for global correlation updates to be successful. You can configure other DNS servers as backup servers. DNS queries are sent to the first server in the list. If it is unreachable, DNS queries are sent to the next configured DNS server.

Caution For global correlation to function, you must have either a DNS server or an HTTP proxy server configured at all times.
Caution DNS resolution is supported only for accessing the global correlation update server.

Note TLS and SSL are protocols that enable encrypted communications between a web browser and the Web Server. When TLS/SSL is enabled, you connect to IME using https://sensor_ip_address. If you disable TLS/SSL, connect to IME using http://sensor_ip_address:port_number.

Step 11 To change the Web Server port, enter the new port number in the Web Server Port field.

Note If you change the Web Server port, you must specify the port in the URL address of your browser when you connect to IME. Use the following format: https://sensor_ip_address:port_number (for example, https://10.1.9.201:1040).

Allowed Hosts/Networks Pane

Note You must be administrator to configure allowed hosts and networks.

After you use the setup command to initialize the sensor, the allowed hosts parameter values appear in the Allowed Hosts/Networks pane. If you need to change these parameters for hosts or networks that have permission to access the sensor, you can do so in the Allowed Hosts/Networks pane.

By default, there are no entries in the list, and therefore no hosts are permitted until you add them.

Note You must add the management host, such as ASDM, IDM, IME, Cisco Security Manager and the monitoring host, such as Cisco Security Mars, to the allowed hosts list, otherwise they cannot communicate with the sensor.

Caution When adding, editing, or deleting allowed hosts, make sure that you do not delete the IP address used for remote management of the sensor.

Time Pane

Use the Time pane to configure the sensor local date, time, time zone, summertime (DST), and whether the sensor will use an NTP server for its time source.

Note We recommend that you use an NTP server as the sensor time source.

Time Sources and the Sensor

The sensor requires a reliable time source. All events (alerts) must have the correct UTC and local time stamp, otherwise, you cannot correctly analyze the logs after an attack. When you initialize the sensor, you set up the time zones and summertime settings. This section provides a summary of the various ways to set the time on sensors.

Note We recommend that you use an NTP server. You can use authenticated or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. You can set up NTP during initialization or you can configure NTP through the CLI, IDM, IME, or ASDM.

Appliances

•Use the clock set command to set the time. This is the default.

•Configure the appliance to get its time from an NTP time synchronization source.

IDSM2

•The IDSM2 can automatically synchronize its clock with the switch time. This is the default. The UTC time is synchronized between the switch and the IDSM2. The time zone and summertime settings are not synchronized between the switch and the IDSM2.

Note Be sure to set the time zone and summertime settings on both the switch and the IDSM2 to ensure that the UTC time settings are correct. The local time of the IDSM2 could be incorrect if the time zone and/or summertime settings do not match between the IDSM2 and the switch.

•Configure the IDSM2 to get its time from an NTP time synchronization source.

AIM IPS and the NME IPS

•AIM IPS and NME IPS can automatically synchronize their clock with the clock in the router chassis in which they are installed (parent router). This is the default. The UTC time is synchronized between the parent router and AIM IPS and NME IPS. The time zone and summertime settings are not synchronized between the parent router and AIM IPS and NME IPS.

Note Be sure to set the time zone and summertime settings on both the parent router and AIM IPS and NME IPS to ensure that the UTC time settings are correct. The local time of AIM IPS and NME IPS could be incorrect if the time zone and/or summertime settings do not match between AIM IPS and NME IPS and the router.

•Configure the AIM IPS and NME IPS to get their time from an NTP time synchronization source, such as a Cisco router, other than the parent router.

AIP SSM

•The AIP SSM automatically synchronizes its clock with the clock in the adaptive security appliance in which it is installed. This is the default.

•Configure the AIP SSM to get its time from an NTP time synchronization source, such as a Cisco router other than the parent router.

Synchronizing IPS Module System Clocks with Parent Device System Clocks

All IPS modules (AIM IPS, AIP SSM, IDSM2, and NME IPS) synchronize their system clocks to the parent chassis clock (switch, router, or security appliance) each time the module boots up and any time the parent chassis clock is set. The module clock and parent chassis clock tend to drift apart over time. The difference can be as much as several seconds per day. To avoid this problem, make sure that both the module clock and the parent clock are synchronized to an external NTP server. If only the module clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs.

Verifying the Sensor is Synchronized with the NTP Server

In Cisco IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key value or ID, to the sensor. If you try to apply an incorrect configuration, you receive an error message. To verify the NTP configuration, use the show statisticshost command to gather sensor statistics. The NTP statistics section provides NTP statistics including feedback on sensor synchronization with the NTP server.

To verify the NTP configuration, follow these steps:

Step 1 Log in to the sensor.

Step 2 Generate the host statistics:

sensor# show statistics host

...

NTP Statistics

remote refid st t when poll reach delay offset jitter

11.22.33.44 CHU_AUDIO(1) 8 u 36 64 1 0.536 0.069 0.001

LOCAL(0) 73.78.73.84 5 l 35 64 1 0.000 0.000 0.001

ind assID status conf reach auth condition last_event cnt

1 10372 f014 yes yes ok reject reachable 1

2 10373 9014 yes yes none reject reachable 1

status = Not Synchronized

...

Step 3 Generate the hosts statistics again after a few minutes:

sensor# show statistics host

...

NTP Statistics

remote refid st t when poll reach delay offset jitter

*11.22.33.44 CHU_AUDIO(1) 8 u 22 64 377 0.518 37.975 33.465

LOCAL(0) 73.78.73.84 5 l 22 64 377 0.000 0.000 0.001

ind assID status conf reach auth condition last_event cnt

1 10372 f624 yes yes ok sys.peer reachable 2

2 10373 9024 yes yes none reject reachable 2

status = Synchronized

Step 4 If the status continues to read Not Synchronized, check with the NTP server administrator to make sure the NTP server is configured correctly.

Time Pane Field Definitions

The following fields are found in the Time pane:

•Sensor Local Date—Current date on the sensor. The default is January 1, 1970. You receive an error message if the day value is out of range for the month.

•Sensor Local Time—Current time (hh:mm:ss) on the sensor. The default is 00:00:00. You receive an error message if the hours, minutes, or seconds are out of range.

Note The date and time fields are disabled if the sensor does not support these fields, or if you have configured NTP settings on the sensor.

•Standard Time Zone—Lets you set the zone name and UTC offset.

–Zone Name—Local time zone when summertime is not in effect. The default is UTC. You can choose from a predefined set of 37 time zones, or you can create a unique name (24 characters) in the following pattern: ^[A-Za-z0-9()+:,_/-]+$

–UTC Offset—Local time zone offset in minutes. The default is 0. If you select a predefined time zone this field is populated automatically.

Note Changing the time zone offset requires the sensor to reboot.

•NTP Server—Lets you configure the sensor to use an NTP server as its time source.

–IP Address—IP address of the NTP server if you use this to set time on the sensor.

–Authenticated NTP—Lets you use authenticated NTP, which requires a key and key ID.

–Key—NTP MD5 key type.

–Key ID—ID of the key (1 to 65535) used to authenticate on the NTP server. You receive an error message if the key ID is out of range.

–Unauthenticated NTP—Lets you use NTP, but does not require authentication, therefore, no key or key ID.

•Summertime—Lets you enable and configure summertime settings.

–Enable Summertime—Click to enable summertime mode. The default is disabled.

Configure Summertime Dialog Box Field Definitions

The following fields are found in the Configure Summertime dialog box:

•Summer Zone Name—Summertime zone name. The default is UTC. You can choose from a predefined set of 37 time zones, or you can create a unique name (24 characters) in the following pattern: ^[A-Za-z0-9()+:,_/-]+$

•Offset—The number of minutes to add during summertime. The default is 60. If you choose a predefined time zone, this field is populated automatically.

Note Changing the time zone offset requires the sensor to reboot.

•Start Time—Summertime start time setting. The value is hh:mm. You receive an error message if the hours or minutes are out of range.

•End Time—Summertime end time setting. The value is hh:mm. You receive an error message if the hours or minutes are out of range.

•Summertime Duration—Lets you set whether the duration is recurring or a single date.

–Recurring—Duration is in recurring mode.

–Date—Duration is in nonrecurring mode.

–Start—Start week, day, and month setting.

–End—End week, day, and month setting.

Configuring Time on the Sensor

To configure time on the sensor, follow these steps:

Step 1 Log in to IME using an account with administrator privileges.

Step 2 Choose Configuration > sensor_name > Sensor Setup > Time.

Step 3 Under Sensor Local Date, select the current date from the drop-down lists.

Date indicates the date on the local host.

Step 4 Under Sensor Local Time, enter the current time (hh:mm:ss).

Time indicates the time on the local host. To see the current time, click Refresh.

Caution If you accidentally specify the incorrect time, stored events have the wrong time stamp. You must clear the events.

Note You cannot change the date or time on modules or if you have configured NTP.

Step 5 Under Standard Time Zone configure the time zone and offset:

a. In the Zone Name field, choose a time zone from the drop- down list, or enter one that you have created.

This is the time zone to be displayed when summertime hours are not in effect.

b. In the UTC Offset field, enter the offset in minutes from UTC.

If you choose a predefined time zone name, this field is automatically populated.

Note Changing the time zone offset requires the sensor to reboot.

Step 6 If you are using NTP synchronization, under NTP Server enter the following:

•The IP address of the NTP server in the IP Address field.

•If using authenticated NTP, check the Authenticated NTP check box, and then enter the key of the NTP server in the Key field, and the key ID of the NTP server in the Key ID field.

Step 16 If you changed the time and date settings (Step 3 and Step 4), you must also click Apply Time toSensor to save the time and date settings on the sensor.

Correcting Time on the Sensor

If you set the time incorrectly, your stored events have the incorrect time because they are stamped with the time the event was created.

The Event Store time stamp is always based on UTC time. If during the original sensor setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do correct the error, the corrected time is set backwards. New events might have times older than old events.

For example, if during the initial setup, you configure the sensor as central time with daylight saving time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and has an offset from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m., you discover the error: the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m. and now the clock shows 09:01:33 CDT. Because the offset from UTC has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates the time stamp problem.

To ensure the integrity of the time stamp on the event records, you must clear the event archive of the older events by using the clear events command.

Note You cannot remove individual events.

For More Information

For the procedure for clearing events from Event Store, see Clearing Events.

Configuring NTP

This section describes how to configure a Cisco router to be an NTP server and how to configure the sensor to use an NTP server as its time source. It contains the following topics:

Configuring a Cisco Router to be an NTP Server

The sensor requires an authenticated connection with an NTP server if it is going to use the NTP server as its time source. The sensor supports only the MD5 hash algorithm for key encryption. Use the following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the time source.

Caution The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers, but is not tested or supported.

Note Remember the NTP server key ID and key values. You need them along with the NTP server IP address when you configure the sensor to use the NTP server as its time source.

To set up a Cisco router to act as an NTP server, follow these steps:

Step 1 Log in to the router.

Step 2 Enter configuration mode.

router# configure terminal

Step 3 Create the key ID and key value.

router(config)# ntp authentication-key key_IDmd5 key_value

The key ID can be a number between 1 and 65535. The key value is text (numeric or character). It is encrypted later.

Example

router(config)# ntp authentication-key 100 md5 attack

Note The sensor only supports MD5 keys.

Note Keys may already exist on the router. Use the show running configuration command to check for other keys. You can use those values for the trusted key in Step 4.

Step 4 Designate the key you just created in Step 3 as the trusted key (or use an existing key).

router(config)# ntp trusted-key key_ID

The trusted key ID is the same number as the key ID in Step 3.

Example

router(config)# ntp trusted-key 100

Step 5 Specify the interface on the router with which the sensor will communicate.

router(config)# ntp source interface_name

Example

router(config)# ntp source FastEthernet 1/0

Step 6 Specify the NTP master stratum number to be assigned to the sensor.

router(config)# ntp master stratum_number

Example

router(config)# ntp master 6

The NTP master stratum number identifies the relative position of the server in the NTP hierarchy. You can choose a number between 1 and 15. It is not important to the sensor which number you choose.

Configuring the Sensor to Use an NTP Time Source

The sensor requires a consistent time source. We recommend that you use an NTP server. Use the following procedure to configure the sensor to use the NTP server as its time source. You can use authenticated or unauthenticated NTP.

Note For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server.

Caution The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers but is not tested or supported.

To configure the sensor to use an NTP server as its time source, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter configuration mode.

sensor# configure terminal

Step 3 Enter service host mode.

sensor(config)# service host

Step 4 Configure unauthenticated NTP.

a. Enter NTP configuration mode:

sensor(config-hos)# ntp-option enabled-ntp-unauthenticated

b. Specify the NTP server IP address.

sensor(config-hos-ena)# ntp-server ip_address

c. Verify the unauthenticated NTP settings.

sensor(config-hos-ena)# show settings

enabled-ntp-unauthenticated

-----------------------------------------------

ntp-server: 10.89.147.45

-----------------------------------------------

sensor(config-hos-ena)#

Step 5 Configure authenticated NTP.

a. Enter NTP configuration mode.

sensor(config-hos)# ntp-option enable

b. Specify the NTP server IP address and key ID.

sensor(config-hos-ena)# ntp-servers ip_addresskey-id key_ID

The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server.

Example

sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100

c. Specify the key value NTP server.

sensor(config-hos-ena)# ntp-keyskey_IDmd5-key key_value

The key value is text (numeric or character). This is the key value that you already set up on the NTP server.

Example

sensor(config-hos-ena)# ntp-keys 100 md5-key attack

d. Verify the NTP settings.

sensor(config-hos-ena)# show settings

enabled

-----------------------------------------------

ntp-keys (min: 1, max: 1, current: 1)

-----------------------------------------------

key-id: 100

-----------------------------------------------

md5-key: attack

-----------------------------------------------

-----------------------------------------------

ntp-servers (min: 1, max: 1, current: 1)

-----------------------------------------------

ip-address: 10.16.0.0

key-id: 100

-----------------------------------------------

-----------------------------------------------

sensor(config-hos-ena)#

Step 6 Exit NTP configuration mode.

sensor(config-hos-ena)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]

Step 7 Press Enter to apply the changes or enter no to discard them.

Manually Setting the System Clock

Note You do not need to set the system clock if your sensor is synchronized by a valid outside timing mechanism such as an NTP clock source

Use the clock sethh:mm [:ss] month day year command to manually set the clock on the appliance. Use this command if no other time sources are available.

The clock set command does not apply to the following platforms:

•AIM IPS

•AIP SSM

•IDSM2

•NME IPS

To manually set the clock on the appliance, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Set the clock manually.

sensor# clock set 13:21 Mar 29 2008

Note The time format is 24-hour time.

Clearing Events

Use the clear events command to clear Event Store.

To clear events from Event Store, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Clear Event Store.

sensor# clear events

Warning: Executing this command will remove all events currently stored in the event
store.

Continue with clear? []:

Step 3 Enter yes to clear the events.

Configuring Authentication and Users

This section describes how to add and remove users on the system, and how to configure authentication. It contains the following topics:

Authentication Pane

Note You must be administrator to add and edit users.

Caution Make sure you have a RADIUS server already configured before you configure RADIUS authentication on the sensor. IPS 7.0(4) has been tested with CiscoSecure ACS 4.2 servers. Refer to your RADIUS server documentation for information on how to set up a RADIUS server.

Use the Authentication pane to configure users who can log in to the sensor. Multiple users are permitted to log in at a time. You can create and remove users from the local sensor. You can only modify one user account at a time. Each user is associated with a role that controls what that user can and cannot modify. The requirements that must be used for user passwords are set in the Passwords pane.

You can create and remove users from the local sensor. You can only modify one user account at a time. Each user is associated with a role that controls what that user can and cannot modify. The requirements that must be used for user passwords are set with the password command.

Users are authenticated through AAA either locally or through RADIUS servers. Local authentication is enabled by default. You must configure RADIUS authentication before it is active.

You must specify the user role that is authenticated through RADIUS either by configuring the user role on the RADIUS server or specifying a default user role on the Authentication pane. The username and password are sent in an authentication request to the configured RADIUS server. The response of the server determines whether the login is authenticated.

Note If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.

You can configure a primary RADIUS server and a secondary RADIUS server. The secondary RADIUS server authenticates and authorizes users if the primary RADIUS server is unresponsive.

You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are responding. In this case, the sensor authenticates against the locally configured user accounts. The sensor will only use local authentication if the RADIUS servers are not available, not if the RADIUS server rejects the authentication requests of the user.

You can also configure how users connected through the console port are authenticated—through local user accounts, through RADIUS first and if that fails through local user accounts, or through RADIUS alone. If you have local fallback enabled, the SSH and Telnet sessions try to authenticate as local accounts. If you have local fallback disabled, the SSH and Telnet sessions fail.

To configure a RADIUS server on the Authentication pane, you must have the IP address, port, and shared secret of the RADIUS server. You must also either have the NAS-ID of the RADIUS server, or have the RADIUS server configured to authenticate clients without a NAS-ID or with the default IPS NAS-ID of cisco-ips.

Note Enabling RADIUS authentication on the sensor does not disconnect already established connections. RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME connections remain established with the login credentials used prior to configuring RADIUS authentication. To force disconnection of these established connections, you must reset the sensor after RADIUS is configured.

Understanding User Roles

Caution You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system.

•Administrator—Can view everything and can modify all options that operators can modify in addition to the following:

–Sensor addressing configuration

–List of hosts allowed to connect as configuration or viewing agents

–Assignment of physical sensing interfaces

–Enable or disable control of physical interfaces

–Add and delete users and passwords

–Generate new SSH host keys and server certificates

•Service—Only one user with service privileges can exist on a sensor. The service user cannot log in to IDM or IMEIME. The service user logs in to a bash shell rather than the CLI.

The service role is a special role that allows you to bypass the CLI if needed. Only one service account is allowed. You should only create an account with the service role for troubleshooting purposes. Only a user with administrator privileges can edit the service account.

When you log in to the service account, you receive the following warning:

This account is intended to be used for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require this device to be
re-imaged to guarantee proper operation.

Understanding the Service Account

You can create a service account for TAC to use during troubleshooting. Although more than one user can have access to the sensor, only one user can have service privileges on a sensor. The service account is for support purposes only.

Caution Do not make modifications to the sensor through the service account except under the direction of TAC. If you use the service account to configure the sensor, your configuration is not supported by TAC. Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added.

Note The root user password is synchronized to the service account password when the service account is created. To gain root access you must log in with the service account and switch to user root with the su - root command.

Caution You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system.

Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.

The Service Account and RADIUS Authentication

If you are using RADIUS authentication and want to create and use a service account, you must create the service account both on your sensor and on the RADIUS server.

You must use local authentication to access the service account on the sensor. The service account must be created manually as a local account on the sensor. Then when you configure RADIUS authentication, the service account must also be configured manually on the RADIUS server with the accept message set to ip-role=service.

When you log in to the service account, you are authenticated against both the sensor account and the RADIUS server account. By whatever method you use to access the service account—serial console port, direct monitor/keyboard (for sensors that support it), or a network connection, such as SSH or Telnet—you have to log in using local authentication.

RADIUS Authentication Functionality and Limitations

The current AAA RADIUS implementation has the following functionality and limitations:

•Authentication with a RADIUS server

However, you cannot change the password of the RADIUS server from the IPS.

•Authorization

You can perform role-based authorization by specifying the IPS role of the user on the RADIUS server.

•Accounting

The login attempts of the user and the configuration changes are logged as events locally on the IPS. However, these account messages are not communicated to the RADIUS server.

Authentication Pane Field Definitions

The following fields are found in the Authentication pane:

•User Authentication—Lets you choose either local authentication or authentication using a RADIUS server.

•Local Authentication—Lets you specify the users that have access to this sensor:

–Username—The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters.

–Role—The user role values are Administrator, Operator, Service, and Viewer. The default is Viewer.

Note Only one user with the role of service is allowed.

–Status—Displays the current user account status, such as active, expired, or locked.

•RADIUS Authentication—Lets you specify RADIUS as the method of authentication:

–Network Access ID—Identifies the service requesting authentication. The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.

–Default User Role—Lets you assign a default user role on the sensor that is only applied when there is NOT a Cisco av pair specifying the user role. The default role values are Administrator, Operator, Viewer, and Unspecified. Service role cannot be the default user role. The default is Unspecified.

Note If you do not want to configure a default user role on the sensor that is applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001] cisco-av-pair under the group or user profile with one of the following options: ips-role=administrator, ips-role=operator, ips-role=viewer, ips-role=service, or ips-role=unspecified.

Note If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.

Note The default user role is used only when the user has not been configured with a specific role on the ACS server. Local users are always configured with a specific role so the default user role will never apply to locally authenticated users.

–Allow Local Authentication if all RADIUS Servers are Unresponsive—If checked, lets you default to local authentication if the RADIUS servers are not responding. The default is enabled.

•Primary RADIUS Server—Lets you configure the main RADIUS server:

–Server IP Address—IP address of the RADIUS server.

–Authentication Port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

–Timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a RADIUS server before it considers the server to be unresponsive.

–Shared Secret—The secret value configured on the RADIUS server. You must obtain the secret value of the RADIUS server and enter it in the Shared Secret field.

Note You must have the same secret value configured on both the RADIUS server and the IPS sensor so that the server can authenticate the requests of the client and the client can authenticate the responses of the server.

–Authentication Port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

–Timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a RADIUS server before it considers the server to be unresponsive.

–Shared Secret—The secret value configured on the RADIUS server. You must obtain the secret value of the RADIUS server and enter it in the Shared Secret field.

Note You must have the same secret value configured on both the RADIUS server and the IPS sensor so that the server can authenticate the requests of the client and the client can authenticate the responses of the server.

•Console Authentication—Lets you choose how users connected through the console port are authenticated:

Note Login sessions created with the ASA session command are authenticated as console logins.

–Local—Users connected through the console port are authenticated through local user accounts.

–Local and RADIUS—Users connected through the console port are authenticated through RADIUS first. If RADIUS fails, local authentication is attempted. This is the default.

–RADIUS—Users connected through the console port are authenticated by RADIUS. If you also have Allow Local Authentication if all Radius Servers are Unresponsive enabled, users can also be authenticated through the local user accounts.

Add and Edit User Dialog Boxes Field Definitions

The following fields found in the Add and Edit User dialog boxes:

•Username—The username. The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters.

•User Role—The user role values are Administrator, Operator, Service, and Viewer. The default is Viewer.

Note Only one user with the role of service is allowed.

•Password—The user password must conform to the requirements set by the sensor administrator in the Passwords pane.

•Confirm Password—Lets you confirm the password. You receive an error message if the confirm password does not match the user password.

•Change the password to access the sensor—Lets you change the password of the user. Only available in the Edit dialog box.

For More Information

For detailed information on setting up password requirements that all users on the sensor must follow, see Configuring Passwords.

Adding, Editing, Deleting Users, and Creating Accounts

Caution Make sure you have a RADIUS server already configured before you configure RADIUS authentication on the sensor. IPS 7.0(4) has been tested with CiscoSecure ACS 4.2 servers. Refer to your RADIUS server documentation for information on how to set up a RADIUS server.

Note Enabling RADIUS authentication on the sensor does not disconnect already established connections. RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME connections remain established with the login credentials used prior to configuring RADIUS authentication. To force disconnection of these established connections, you must reset the sensor after RADIUS is configured.

Step 12 Click OK. The edited user appears in the users list in the Authentication pane.

Step 13 To delete a user from the user list, select the user, and click Delete. That user is no longer in the users list in the Authentication pane.

Step 14 To configure RADIUS authentication:

a. In the Network Access ID field, enter the NAS-ID. The NAS-ID is an identifier that clients send to servers to communicate the type of service they are attempting to authenticate. The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.

b. (Optional) Configure a default user role if you are not configuring a Cisco av pair. From the Default User Role drop-down menu, choose the user role for this user. This assigns a default user role on the sensor that is only applied when there is NOT a Cisco av pair specifying the user role. The values are Administrator, Operator, Viewer, or Unspecified. The default is Unspecified.

Note The default user role is used only when the user has not been configured with a specific role on the ACS server. Local users are always configured with a specific role so the default user role will never apply to locally authenticated users.

Note Service cannot be the default role.

c. Configure a Cisco av pair. If you do not want to configure a default user role on the sensor that is applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001] cisco-av-pair under the group or user profile with one of the following options:

–ips-role=viewer

–ips-role=operator

–ips-role=administrator

–ips-role=service

–ips-role=unspecified

Note If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.

d. If you want to switch over to local authentication if the RADIUS server becomes unresponsive, check the Allow Local Authentication if all RADIUS Servers are Unresponsive check box.

g. In the Timeout (seconds) field, enter the amount of time in seconds you want to wait for the RADIUS server to respond.

h. In the Shared Secret field, enter the secret value that you obtained from the RADIUS server. The shared secret is a piece of data known only to the parties involved in a secure communication.

Note You must have the same secret value configured on both the RADIUS server and the IPS sensor so that the server can authenticate the requests of the client and the client can authenticate the responses of the server.

i. (Optional) To enable a secondary RADIUS server to perform authentication in case the primary RADIUS server is not responsive, check the Enable a Secondary RADIUS Server check box.

j. In the Server IP Address field, enter the IP address of the second RADIUS server.

k. In the Authentication Port field, enter the RADIUS server port.

l. In the Timeout (seconds) field, enter the amount of time in seconds you want to wait for the RADIUS server to respond.

m. In the Shared Secret field, enter the secret value you obtained for this RADIUS server.

n. From the Console Authentication drop-down list, choose the type of console authentication. You can choose Local, Local and RADIUS, or RADIUS.

Note Login sessions created with the ASA session command are authenticated as console logins.

Unlocking Locked User Accounts

Note When you configure account locking, local authentication, as well as RADIUS authentication, is affected. After a specified number of failed attempts to log in locally or in to a RADIUS account, the account is locked locally on the sensor. For local accounts, you can reset the password or use the unlock user username command to unlock the account. For RADIUS user accounts, you must use the unlock user username command to unlock the account.

Use the unlock user username command in global configuration mode to unlock accounts for users who have been locked out after a specified number of failed attempts.

Note The unlock command is only supported in IPS 7.0(4)E4 and later and does not work in earlier IPS software versions.

To configure account unlocking, follow these steps:

Step 1 Log in to the sensor using an account with administrator privileges.

Step 2 Check to see if any users have locked accounts. The account of the user jsmith is locked as indicated by the parentheses.

sensor# show users all

CLI ID User Privilege

* 1349 cisco administrator

5824 (jsmith) viewer

9802 tester operator

Step 3 Enter global configuration mode.

sensor# configure terminal

sensor(config)#

Step 4 Unlock the account.

sensor(config)# unlock user jsmith

Step 5 Check your new setting. The account of the user jsmith is now unlocked as indicated by the lack of parenthesis.

Locking User Accounts

Note When you configure account locking, local authentication, as well as RADIUS authentication, is affected. After a specified number of failed attempts to log in locally or in to a RADIUS account, the account is locked locally on the sensor. For local accounts, you can reset the password or use the unlock user username command to unlock the account. For RADIUS user accounts, you must use the unlock user username command to unlock the account.

Use the attemptLimitnumber command in authentication submode to lock accounts so that users cannot keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.

To configure account locking, follow these steps:

Step 1 Log in to the sensor using an account with administrator privileges.

Step 2 Enter service authentication submode.

sensor# configure terminal

sensor(config)# service authentication

Step 3 Set the number of attempts users will have to log in to accounts.

sensor(config-aut)# attemptLimit 3

Step 4 Check your new setting.

sensor(config-aut)# show settings

attemptLimit: 3 defaulted: 0

sensor(config-aut)#

Step 5 To set the value back to the system default setting.

sensor(config-aut)# defaultattemptLimit

Step 6 Check that the setting has returned to the default.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

sensor(config-aut)#

Step 7 Check to see if any users have locked accounts. The account of the user jsmith is locked as indicated by the parentheses.

Note When you apply a configuration that contains a non-zero value for attemptLimit, a change is made in the SSH server that may subsequently impact your ability to connect with the sensor. When attemptLimit is non-zero, the SSH server requires the client to support challenge-response authentication. If you experience problems after your SSH client connects but before it prompts for a password, you need to enable challenge-response authentication. Refer to the documentation for your SSH client for instructions.